1 / 21

The Dons present… OPLIN’s Security Audit

The Dons present… OPLIN’s Security Audit. Don Nuss & Don Yarman OLC Annual Conference Friday, October 7, 2005. Background. Gates Staying Connected Grants Discussions with advisors, regionals RFQ Selection of Infiniti Systems Group, Inc. ISS Internet Scanner

katina
Download Presentation

The Dons present… OPLIN’s Security Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Dons present…OPLIN’s Security Audit Don Nuss & Don Yarman OLC Annual Conference Friday, October 7, 2005

  2. Background • Gates Staying Connected Grants • Discussions with advisors, regionals • RFQ • Selection of Infiniti Systems Group, Inc. • ISS Internet Scanner • eEye Retina Network Security Scanner • AirDefense Enterprise

  3. Vision Statement • A full assessment of the state of the routers, web servers, mail servers and proxies on the network that are under our control. • A list of all libraries they can penetrate past the border router. • A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries. • A clear statement of the minimum requirements OPLIN should demand of every building connected to the network. • Recommended steps libraries should take over and above the minimum. • Recommended products and services the OPLIN Support Center should supply routinely. • A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring.

  4. 1. A full assessment of the state of the routers, web servers, mail servers and proxies on the network that are under our control “Overall, we found OPLIN’s Core network to be very secure from both internal and external attacks and compromise. “While we were able to discover core routers, name servers, mail, www, and the OPLIN backup server, because of OPLIN’s superior network architecture, we were unable to discover any information about the Core devices which would have enabled us to compromise the network.”

  5. 2. A list of all libraries they can penetrate past the border router. ACLs and other security measures applied to the OPLIN core and site routers prevented Infiniti from actively peering into the libraries.

  6. 3. A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries. OPLIN will choose the sample. Stark County District Library Clermont County District Library Euclid Public Library Newark Public Library System Lima Public Library PL of Mt. Vernon and Knox County Portsmouth Public Library Chillicothe & Ross County Public Library Wood County District Public Library Rodman Public Library Pickerington Public Library Salem Public Library Kinsman Free Public Library Defiance Public Library Auglaize County Public District Library Puskarich Public Library Paulding County Carnegie Library Huron Public Library Carnegie Public Library (East Liverpool) Harbor-Topky Memorial Library Bucyrus Public Library Community Public Library (St Marys) Pemberville Public Library Herrick Memorial Public Library New Straitsville Public Library

  7. Statistics • 88% had a firewall of some sort. • 29% were using an ISA firewall. • 4% had separated public and staff data. • 83% had an up-to-date antivirus solution. • 25% were up to date on patches.

  8. Statistics • 50% were using wireless. • 42% had secured the connection. • 13% had a non-OPLIN connection • 33% had outsourced their network support • 50% utilized consortium support

  9. Ratings Far Above Average – 8% Above Average – 25% Average – 50% Below Average – 13% Far Below Average – 4%

  10. 4. A clear statement of the minimum requirements OPLIN should demand of every building connected to the network. • OPLIN worked with Infiniti to create proposed policies. The draft policy specified that every library must have: • A dedicated firewall device • A commercial-grade antivirus solution • A approved technology plan

  11. Instead, “OPLIN Community Good Neighbor Policy” • This policy created in 2002 specifies OPLIN procedures in the event that malicious, objectionable, or illegal activity is detected originating from our network. • Open mail relays which permit spam • Insecure hosts exploited by a hacker • Third party denial of service attacks

  12. 5. Recommended steps libraries should take over and above the minimum. (Staff can figure out what incentives we might supply) • Firewalls • Antivirus • Operating system updates • Data security & integrity • Caution with remote management

  13. Firewalls • Every site must have a firewall, ideally a dedicated appliance. 12% of libraries studied had no network firewall at all. OPLIN is investigating managed-firewall services that we can offer to assist libraries with this urgent need.

  14. Antivirus • Every institution must have an active antivirus program protecting every workstation. OPLIN has pursued discounts with a variety of vendors; more information is available at http://www.oplin.org/security.

  15. Operating system updates • We are sensitive to the obstacles of installing critical patches to every workstation and server in a library. But software vulnerabilities, particularly within Microsoft Windows, are easily and commonly exploited, and they pose a greater threat than computer viruses.

  16. Data security and integrity • Give serious thought to protecting network communications and stored data. Infiniti recommends segmenting the network traffic for library staff from that of the public into different subnets, a service OPLIN is able to implement • Communication between buildings could be encrypted or protected (perhaps by using a secure program like “Putty” instead of open telnet) • Wireless networks used by staff should be encrypted to protect the data • Good data backups are vital

  17. Caution with remote management • Many administrators find tools such as Microsoft Terminal Services or PC Anywhere to be indispensable, but they should be used with caution, and libraries should be mindful that they may provide unauthorized access into their systems.

  18. Bottom line… It is difficult to weigh the principles of security against the freedom and openness that libraries foster. We encourage libraries to give careful consideration to their local computer usage policies, particularly in regard to patron storage media (floppies, USB drives) and wireless access points. Actual policies are up to the individual library to set, but it is important that every library regularly devote attention to balancing patron convenience with library network security.

  19. 6. Recommended products and services the OPLIN Support Center should supply routinely. • OPLIN is working with Infiniti as well as the Network and Library Application Advisory Committees to develop services that we will present to you for approval later next spring. • Services will address… • Ongoing security monitoring of the OPLIN core. • Voluntary security audits for libraries. • Providing firewall service options for libraries. • Providing ongoing security awareness for the library community.

  20. 7. A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring. • OPLIN has obtained the tools utilized by Infiniti during the audit. • eEye Retina Scanner • Internet Security Systems Scanner • We are developing a Audit Service that we hope to make available next spring.

  21. Questions? • For problems:OPLIN Support Center (support@oplin.org)888.966.7546 (888.96.OPLIN) • For questions:Don Yarman (yarmando@oplin.org)Don Nuss (nussdo@oplin.org) • This presentation is available online at www.oplin.org/presentations/secaudit.ppt

More Related